Carolyn Watkins is worried. There have been two recent ransomware attacks on Park DuValle Community Health Center, where the 50-year-old has gone for medical care since she was a baby. And despite assurances from officials there that hackers didn’t gain access to about 20,000 patient medical records, Watkins doesn’t believe it.
“I’ve been coming here since I was little, so I’m very worried about my information,” Watkins said. “All my kids have went here, and my grandkids. It’s scary.”
On Thursday, WDRB first reported that Park DuValle paid hackers $70,000 in bitcoin to release medical records and appointment information being held hostage since the most recent attack in June. Watkins found out about the security breach watching the nightly news. She was bewildered: she had a medical appointment in May — a month after the first ransomware attack. And she’d been back twice since then to pick up prescriptions.
“They didn’t tell nobody nothing — like I said it was a surprise to me,” Watkins said.
She was angry that the attacks happened, but also that her health care provider didn’t tell her about them. Angry enough that she said she’ll no longer go to Park DuValle to manage her high blood pressure and gastroesophageal reflux disease.
“As far as Park DuValle, I’m changing my doctor today,” Watkins said. “I’m going out here to Norton’s on Dixie Highway.”
Park DuValle Community Health Center CEO Ann Hagan-Grigsby said there was no way for the clinic to reach out to patients since they’d lost access to phone numbers and addresses. She said staff hadn’t told patients about why their computer systems were down, only that they were down. She said that was because she wasn’t sure how to tell patients in a way that wouldn’t create a firestorm.
“I actually met with some other CEOs around the state and said, ‘How do you do this in a way that does not create such a negative impression with patients?’” Hagan-Grigsby said. “People are fearful — they hear virus attacks and ransomware and hackers and their brains go to, ‘we’re not safe there.’ And that’s not true.”
Hackers are increasingly targeting health care providers. Around the same time of Park DuValle’s recent ransomware attack in early June, five other health care organizations across the U.S. were going through the same thing. Those health care entities told media outlets that no patient information had gone to hackers, but instead hackers locked up information and demanded money.
In some cases, medical providers are legally obligated to notify patients and/or media outlets if their information is breached. But in the case of Park DuValle, Hagan-Grigsby said the ransomware attack didn’t qualify as a data breach.
“There was no data exported: you can see on your firewalls when things come in and go out, nothing was going out,” Hagan-Grigsby said. “They encrypted our files.”
She said in this case, her staff debated notifying the media much sooner.
“That’s a judgment call,” Hagan-Grigsby said. “We don’t have any way to publicize other than if we had done a press release to the news media to say this happened and what this will mean for patients. Maybe that’s a good idea — maybe that should be best practice.”
More Attacks On Health Providers
Glenn Cohen, a professor and expert on bioethics and biotechnology at Harvard, said he understands why a health provider might not want to broadcast that they are facing a virtual attack — it exposes that they’re vulnerable and they could be a target for another attack.
“But it does seem to me that they probably have an obligation at some point along the way to tell patients, or why things are being delayed if there’s some belief that it’s affecting patients,” he said.
Cohen said there are a couple reasons health providers are increasingly under attack by hackers.
“The biggest reason is, I think, the pressure to pay — essentially health care systems have vital health information, and if you can block that up it can have disastrous effects on people’s lives and health,” Cohen said.
In addition, health providers usually rely on insurance payments for services. At Park DuValle, staff haven’t been able to bill for the care they’ve been providing for months. Hagan-Grigsby said the clinic will hopefully gain the ability to start billing insurers again next week.
“Health care systems get paid by insurers, and so you can cripple them financially,” Cohen said.
Watkins, who was picking up a prescription on Friday, pointed out the impact for the clinic might be larger than just not getting paid by insurers. She said Park DuValle’s waiting room was empty, and she’d been able to park right in front of the clinic. Patients, she guessed, weren’t coming either because they weren’t getting appointment reminders, or because they’d heard the news.
“It’s empty in there now — it’s not never empty,” Watkins said. “There’s nobody sitting out here to be registered, and I walked straight in and straight out.”